Jump to content

I think I'm infected with opencandy (stubinst_pkg_en-us[1].cab)


Recommended Posts

Hi.  As fair warning, I'm not the most computer savvy person around, so apologies if I don't understand your instructions right away.


I believe my computer is infected with this opencandy thing.  I'm not sure exactly what it is, but I think it's a trojan of some kind.  My computer hasn't done anything really wonky yet, but while websurfing I got a pop-up website tab in Chrome claiming some kind of government detection of illegal activity and saying my computer was going to be blocked and files encrypted or something, it was also asking for money or something.  I used ctrl-alt-delete to end the Chrome program and immediately started running avast antivirus and then malwarebytes.  Avast didn't find anything, but Malwarebytes found this PUP opencandy thing.  I quarantined it, but haven't done anything else yet.  I saw on your forums that someone else had the same thing come up in their scan, and your experts had him do extra actions to fully clean it from his computer.  So I signed up an account and am here asking for your expert help with it.


This is the scan history log I got from Malwarebytes.  Please let me know what I should do.  Thank you.



Malwarebytes Anti-Malware

Scan Date: 9/2/2014
Scan Time: 9:00:18 PM
Logfile: Malwarebytes Scan History Log - 9-2-2014.txt
Administrator: Yes

Malware Database: v2014.09.03.01
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Christine

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 270417
Time Elapsed: 7 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.OpenCandy, C:\Documents and Settings\Christine\Local Settings\Temporary Internet Files\Content.IE5\K9G983YX\stubinst_pkg_en-us[1].cab, Quarantined, [9e9fb435d6a5f343f1983ad6e91c748c],

Physical Sectors: 0
(No malicious items detected)


Link to post
Share on other sites

They call me TwinHeadedEagle around here, and I'll be working with you.
Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
  warning.gif Rules and policies
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Hi there.


Attached are my scan logs.


Also, I don't know if this makes a difference for anything, but this computer is not an off-the-shelf computer.  A friend put it together for me and loaded the OS and some basic software before I got it.  I don't know that much about computers and troubleshooting, myself, which is why I'm asking for help here.  I don't think I have any P2P software installed on here.  And I'm not aware of any illegal software or things on it either.



Link to post
Share on other sites

PC looks clean, we'll perform just some clean-up :)




FRST.gif Fix with Farbar Recovery Scan Tool


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif

icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:

  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.
Link to post
Share on other sites

Okay, I got up to the Run as Administrator part.  Then I'm a little confused.  I right click and select 'Run as..."  A box opens that has me select between my current account, or select another account (Administrator is already typed as default in the other account box).  But I really only have the one account, and on the profile for my current account it says it's the 'computer administrator' under the account name.


What should I do?  Do I just run it for this account, or is there some other Administrator account it needs to be run in instead?

Link to post
Share on other sites

I think it's okay.  Nothing weird or bad is happening, and I deleted the file from quarantine so it's gone now.  I ran another Malwarebytes scan, and nothing else came up as a threat.


So I think it's all good.  


Thank you very much for all your help.

Link to post
Share on other sites

Good. Then we're done :)
Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing. 

Recommended reading:

icon_exclaim.gifMUST READ - security tips:

icon_exclaim.gifMUST READ - general maintenance:

The Importance of Software Updating:


In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.
Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

Recommended additional software:

icon_arrow.gifTFC - to clean unneeded temporary files.
icon_arrow.gifMalwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gifMalwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gifMcShield - to prevent infections spread by removable media.
icon_arrow.gifCryptoPrevent - to secure yourself from very severe CryptoLocker infection.
icon_arrow.gifUnchecky - to prevent from installing additional foistware, implemented in legitimate installations.
icon_arrow.gifFiheHippo.com Update Checker - to keep your programs up-to-date.
icon_arrow.gifAdblock - to surf the web without annoying ads! 

Post-cleanup procedures:


Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report. You do not need to attach it.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning. 

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation: xbtn_donate_SM.gif.pagespeed.ic.MMi5tqVp

Thank you!

Stay safe,
TwinHeadedEagle   :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.